Analytics Story: Splunk Vulnerabilities

Date: 2024-01-22 ID: 5354df00-dce2-48ac-9a64-8adb48006828 Author: Lou Stella,Rod Soto, Eric McGinnis, Splunk Product: Splunk Enterprise Security

Description

Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.

Why it matters

This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly
Splunk App for Lookup File Editing RCE via User XSLT Exploitation of Remote Services Hunting
Splunk Authentication Token Exposure in Debug Log Log Enumeration TTP
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services Hunting
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Anomaly
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Anomaly
Splunk Enterprise KV Store Incorrect Authorization Abuse Elevation Control Mechanism Hunting
Splunk Improperly Formatted Parameter Crashes splunkd Endpoint Denial of Service TTP
Splunk Information Disclosure on Account Login Account Discovery Hunting
Splunk Path Traversal In Splunk App For Lookup File Edit File and Directory Discovery Hunting
Splunk RCE PDFgen Render Exploitation of Remote Services TTP
Splunk RCE Through Arbitrary File Write to Windows System Root Exploitation of Remote Services Hunting
Splunk RCE via User XSLT Exploitation of Remote Services Hunting
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Unsecured Credentials Hunting
Splunk User Enumeration Attempt Valid Accounts TTP
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Drive-by Compromise Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Splunk Splunk icon Splunk splunkd_ui_access splunkd_ui_access.log

References

Source: GitHub | Version: 1